Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ansible
(Redhat)Repositories | https://github.com/ansible/ansible |
#Vulnerabilities | 45 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2021-05-26 | CVE-2021-20191 | A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. | Virtualization, Ansible, Ansible_tower, Cisco_nx\-Os_collection, Community_general_collection, Community_network_collection, Docker_community_collection, Google_cloud_platform_ansible_collection | 5.5 | ||
2022-03-16 | CVE-2021-20180 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | Ansible | 5.5 | ||
2022-10-28 | CVE-2022-3697 | A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. | Ansible, Ansible_collection | 7.5 | ||
2023-12-12 | CVE-2023-5764 | A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. | Extra_packages_for_enterprise_linux, Fedora, Ansible, Ansible_automation_platform, Ansible_developer, Ansible_inside | 7.8 | ||
2024-02-06 | CVE-2024-0690 | An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. | Fedora, Ansible, Ansible_automation_platform, Ansible_developer, Ansible_inside, Enterprise_linux | 5.5 | ||
2019-11-22 | CVE-2019-10206 | ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. | Debian_linux, Backports_sle, Leap, Ansible | 6.5 | ||
2018-04-24 | CVE-2016-9587 | Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. | Ansible, Ansible, Openstack | 8.1 | ||
2018-07-31 | CVE-2016-8628 | Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. | Ansible | 9.1 | ||
2018-07-31 | CVE-2016-8614 | A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. | Ansible | 7.5 | ||
2020-01-09 | CVE-2014-2686 | Ansible prior to 1.5.4 mishandles the evaluation of some strings. | Ansible | 7.5 |